Andy Greenberg of Forbes reports that the Safehouse site launched by The Wall Street Journal on Thursday for sources to provide documents and information has problems that would allow for those sources to be identified.
Greenberg writes, “But within hours, the security community was pointing to flaws in the site’s protections for anonymous leakers and the fine print of its policy for source protections that could give away the identities of would-be whistleblowers.
“‘Pro tip: if you’re going to create a document leaking website – have a clue!’ wrote security research Jacob Appelbaum in his Twitter feed.
“Appelbaum, a developer for the Tor anonymity network and a past volunteer for WikiLeaks, says that SafeHouse insecurely implements Secure Socket Layer (SSL) encryption, the protection meant to render any data passed between a user and a website unreadable. When a visitor goes to http://wsjsafehouse.com, for instance, that unencrypted site offers a link to the encrypted HTTPS version of the site. But Appelbaum points out that it doesn’t use a mechanism called Strict Transport Security to switch from the insecure to the encrypted connection. So any lurking man-in-the-middle on the user’s network can use a tool like SSL Strip to make it appear that he or she has entered the encrypted version of the site when in fact the traffic is unprotected.”
Read more here.
CNBC senior vice president Dan Colarusso sent out the following on Monday: Before this year comes to…
Business Insider editor in chief Jamie Heller sent out the following on Monday: I'm excited to share…
Former CoinDesk editorial staffer Michael McSweeney writes about the recent happenings at the cryptocurrency news site, where…
Manas Pratap Singh, finance editor for LinkedIn News Europe, has left for a new opportunity…
Washington Post executive editor Matt Murray sent out the following on Friday: Dear All, Over the last…
The Financial Times has hired Barbara Moens to cover competition and tech in Brussels. She will start…